RC-40634. Made the changes

rafay/resource_eks_cluster.go

@@ -660,6 +660,11 @@ func podIdentityAssociationsFields() map[string]*schema.Schema {
 			Type:        schema.TypeBool,
 			Optional:    true,
 			Description: "enable flag to create service account",
+			DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+				// During CREATE the resource is still "new" → allow the diff.
+				// Afterwards, suppress any attempted change so TF doesn't even
+				// try to plan it; the Update code will throw a hard error.
+				return !d.IsNewResource()
 		},
 		"role_name": {
 			Type:        schema.TypeString,

rafay/resource_eks_pod_identity.go

@@ -88,6 +88,18 @@ func resourceEksPodIdentityUpdate(ctx context.Context, d *schema.ResourceData, m
 		return diag.FromErr(fmt.Errorf("spec not specified"))
 	}
 
+	if d.HasChange("spec") {
+		oldRaw, newRaw := d.GetChange("spec")
+
+		oldFlag := extractCreateServiceAccount(oldRaw)
+		newFlag := extractCreateServiceAccount(newRaw)
+
+		if oldFlag != newFlag {
+			return diag.Errorf(
+				"create_service_account is immutable. ")
+		}
+	}
+
 	if len(podIdentity) == 0 {
 		return diag.FromErr(errors.New("could not get pod identity associations"))
 	}
@@ -421,6 +433,17 @@ func resourceEksPodIdentityDelete(ctx context.Context, d *schema.ResourceData, m
 	return diags
 }
 
+func extractCreateServiceAccount(raw interface{}) bool {
+	if l, ok := raw.([]interface{}); ok && len(l) > 0 && l[0] != nil {
+		if m, ok := l[0].(map[string]interface{}); ok {
+			if v, ok := m["create_service_account"].(bool); ok {
+				return v
+			}
+		}
+	}
+	return false
+}
+
 func getIdFromName(clusterName string, projectName string) (string, string, error) {
 	resp, err := project.GetProjectByName(projectName)
 	if err != nil {